Secure Communication. Key distribution. Key explosion. Key exchange. Symmetric cryptography. Diffie-Hellman exponential key exchange

Transcription

1 Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side Secure Communication E K (P) Key distribution must be secret otherwise messages can be decrypted users can be impersonated D K (C) Key explosion Each pair of users needs a separate key for secure communication K AB K AB K AC K BC 2 users: 1 key 4 users: 6 keys 3 users: 3 keys Key distribution Secure key distribution is the biggest problem with symmetric cryptography 100 users: 4950 keys 6 users: 15 keys 1000 users: keys n( n 1) n users: 2 keys Key exchange How can you communicate securely with someone you ve never met? Whit Diffie - idea for a public key algorithm goal: sender can create two sets of keys: one public and one private sender sends data encrypted with the receiver s public key receiver can decrypt data with her private key challenge: can this be done securely? Knowledge of public key should not allow derivation of private key Diffie-Hellman exponential key exchange Key distribution algorithm first algorithm to use public/private keys not public key encryption based on difficulty of computing discrete logarithms in a finite field compared with ease of calculating exponentiation allows us to negotiate a secret session key without fear of eavesdroppers 1

2 Diffie-Hellman exponential key exchange All arithmetic performed in field of integers modulo some large number Both parties agree on a large prime number p and a number α < p Each party generates a public/private key pair Diffie-Hellman exponential key exchange has secret key has public key Y A computes K = Y B has secret key X B has public key Y B private key for user i: X i public key for user i: Y i = i α X K = ( s public key) ( s private key) Diffie-Hellman exponential key exchange has secret key has public key Y A computes K Y B has secret key X B has public key Y B computes XB K' = Y mod = p K = ( s public key) ( s private key) A Diffie-Hellman exponential key exchange has secret key has public key Y A computes K Y B expanding: K = Y has secret key X B has public key Y B computes XB K' = YA mod expanding: = p B = ( α XB ) K' = Y XB A = ( α ) XB X BX A XB = α = α K = K K is a common key, known only to and Diffie-Hellman example Suppose p = 31667, α = 7 picks = 18 s public key is: Y A = 7 18 mod = 6780 K = mod K = picks X B = 27 s public key is: Y B = 7 27 mod = K = mod K = Key distribution problem is solved! User maintains private key Publishes public key in database ( phonebook ) Communication begins with key exchange to establish a common key Common key can be used to encrypt a session key increase difficulty of breaking common key by reducing the amount of data we encrypt with it session key is valid only for one communication session 2

3 RSA Ron Rivest, Adi Shamir, Leonard Adleman created a true public key encryption algorithm in 1977 Each user generates two keys private key (kept secret) public key Data encrypted with the private key can only be decrypted with the corresponding public key integrity, authentication Data encrypted with the public key can only be decrypted with the corresponding private key secure communication difficulty of algorithm based on the difficulty of factoring large numbers keys are functions of a pair of large (~200 digits) prime numbers RSA algorithm Generate keys choose two random large prime numbers p, q Compute the product n=pq randomly choose the encryption key, e, such that e and (p-1)(q-1) are relatively prime use the extended Euclidean algorithm to compute the decryption key, d: ed = 1 mod ((p-1)(q-1)) d = e -1 mod ((p-1)(q-1)) discard p, q RSA algorithm encrypt divide data into numerical blocks < n encrypt each block: c = m e mod n Communication with public key algorithms Different keys for encrypting and decrypting no need to worry about key distribution decrypt: m = c d mod n Communication with public key algorithms Communication with public key algorithms s public key: K A s public key: K A s public key: K B s public key: K B exchange public keys (or look up in a directory/db) E B (P) D b (C) encrypt message with s public key decrypt message with s private key 3

4 Communication with public key algorithms Public key woes s public key: K A E B (P) encrypt message with s public key D a (C) decrypt message with s private key s public key: K B D b (C) decrypt message with s private key E A (P) encrypt message with s public key Public key cryptography is great but: RSA about 100 times slower than DES in software, 1000 times slower in HW Vulnerable to chosen plaintext attack if you know the data is one of n messages, just encrypt each message with the recipient s public key and compare It s a good idea to reduce the amount of data encrypted with any given key but generating RSA keys is computationally very time consuming Hybrid cryptosystems Communication with a hybrid cryptosystem Use public key cryptography to encrypt a randomly generated symmetric key session key Get recipient s public key (or fetch from directory/database) s public key: K B Communication with a hybrid cryptosystem Communication with a hybrid cryptosystem s public key: K B s public key: K B Pick random session key, K E B (K) K = D b (E B (K)) Encrypt session key with s public key E B (K) K = D b (E B (K)) E K (P) D K (C) decrypts K with his private key encrypt message using a symmetric algorithm and key K decrypt message using a symmetric algorithm and key K 4

5 Communication with a hybrid cryptosystem s public key: K B E B (K) K = D b (E B (K)) E K (P) D K (C) Digital Signatures D K (C ) E K (P ) decrypt message using a symmetric algorithm and key K encrypt message using a symmetric algorithm and key K Digital signatures We use signatures because a signature is: Authentic Unforgeable Not reusable Non repudiatable Renders document unalterable Digital signatures We use signatures because a signature is Authentic Unforgeable Not reusable Non repudiatable Renders document unalterable ALL UNTRUE! Can we do better with digital signatures? Digital signatures - arbitrated protocol Arbitrated protocol using symmetric encryption turn to trusted third party (arbiter) to authenticate messages is trusted and has everyone s keys C=E A (P) Digital signatures - arbitrated protocol P= D A (C) encrypts message for herself and sends it to receives s message and decrypts it with s key - this authenticates that it came from - he may choose to log a hash of the message to create a record of the transmission 5

6 Digital signatures - arbitrated protocol Digital signatures - arbitrated protocol C = E B (P) P = D B (C ) now encrypts the message for and sends it to receives the message and decrypts it -it must have come from since only and have s key - if the message says it s from, it must be - we trust Digital signatures with multiple parties can forward the message to in the same manner. can validate stored hash to ensure that did not alter the message Digital signatures with multiple parties P = D B (C ) C = E B (P ) P = D B (C ) encrypts message with his key and sends it to decrypts the message - knows it must be from - looks up ID to match original hash from s message - validates that the message has not been modified - adds a signed by indicator to the message Digital signatures with multiple parties Digital signatures with multiple parties C = E C (P ) P = D C (C ) encrypts the new message for decrypts the message - knows the message must have come from - trusts s assertion that the message originated with and was forwarded through 6

7 Encrypting a message with a private key is the same as signing! E a (P) encrypt message with s private key D A (C) decrypt message with s public key What if was sending binary data? might have a hard time knowing whether the decryption was successful or not Public key encryption is considerably slower than symmetric encryption what if the message is very large? What if we don t want to hide the message, yet want a valid signature? Create a hash of the message Encrypt the hash and send it with the message Validate the hash by decrypting it and comparing it with the hash of the received message generates a hash of the message E a () E a () encrypts the hash with her private key sends the message and the encrypted hash 7

8 C = E a () C = E a () H = D A (C) H = D A (C) 1. decrypts the has using s public key 2. computes the hash of the message sent by If the hashes match - the encrypted hash must have been generated by - the signature is valid Digital signatures - multiple signers Digital signatures - multiple signers C = E a () C = E a () H 1 = D A (C) C 2 = E b () generates a hash (same as s) and encrypts it with his private key - sends : {message, s encrypted hash, s encrypted hash} : C 2 = E b () H 2 = D A (C 2 ) - generates a hash of the message: - decrypts s encrypted hash with s public key - validates s signature - decrypts s encrypted hash with s public key - validates s signature If we want secrecy of the message combine encryption with a digital signature use a session key: pick a random key, K, to encrypt the message with a symmetric algorithm encrypt K with the public key of each recipient for signing, encrypt the hash of the message with sender s private key C 1 = E a () generates a digital signature by encrypting the message digest with her private key. 8

9 C = E K (P) C 1 = E a () picks a random key, K, and encrypts the message (P) with it using a symmetric algorithm. C = E K (P) C 1 = E a () K C 2 = E B (K) K K C 3 = E C (K) encrypts the session key for each recipient of this message: and using their public keys. C = E K (P) C 1 = E a () K K C 2 = E B (K) K C 3 = E C (K) Message from : K : K The aggregate message is sent to and Message from : K : K K = E b (C 2 ) receives the message: - extracts key by decrypting it with his private key Message from Message from P = D K (C) P = D K (C) : K : K K = E b (C 2 ) : K : K K = E b (C 2 ) decrypts the message using K computes the hash of the message 9

10 Message from Message from P = D K (C) P = D K (C) H 1 = D A (C 1 ) : K : K K = E b (C 2 ) K A : K : K K = E b (C 2 ) looks up s public key decrypts s signature using s public key Cryptographic toolbox Message from : K : K P = D K (C) H 1 = D A (C 1 ) K = E b (C 2 ) H 1 =? Symmetric encryption Public key encryption One-way hash functions Random number generators Nonces, session keys Message authentication codes Made from hash functions Digital signatures Commonly: encrypted hash functions validates s signature The end 10